A cyber-espionage group is attacking high-level targets in the EU

Threat actor YoroTrooper has compromised the accounts of key EU healthcare institutions, several embassies, and the World Intellectual Property Organization (WIPO).

A Report From Cisco Talos (via Beep computer) indicate that a large amount of data such as credentials, cookies, and browser history has been stolen from many infected endpoints.

These include companies belonging to government agencies and energy companies in the countries of the Commonwealth of Independent States (CIS) in Eurasia.

YoroTrooper Unique Threat Activity

While BleepingComputer noted that YoroTrooper was previously known to spread known malware such as PoetRAT and LodaRAT, Cisco believes it has turned to designing its own remote access Trojan (RAT) written in Python to do the job.

In summer 2022, Belarusian organizations were hit with infected PDF files sent from email domains claiming to be Belarusian or Russian organizations. In September of that same year, YoroTrooper registered a phishing domain name to resemble a Russian government agency as closely as possible.

This tactic stems from the need for YoroTrooper’s phishing emails to look as legitimate as possible, especially since its latest trick involves attaching infected RAR and ZIP attachments to obtain national security information across the region.

In 2023, threat groups move fast. In January, it began publishing an information-stealing script to extract credentials from Chromium-based browsers, but in February it has moved to a new modular tool called “Stink.”

In addition to Chromium browser penetration and basic system information, the new tool will also download files from FTP clients Filezilla and messaging app Discord and Telegram.

YoroTrooper’s motives, means, and backers are unclear, but the move to custom tools could be a worrying development for the corporate world.

• here is our list best firewall Now